https://www.macrumors.com/2026/07/01/hide-my-email-vulnerability-exposes-real-addresses
A significant vulnerability in Apple’s Hide My Email service has been found to allow almost anyone to uncover the genuine email address behind a generated alias, and Apple has failed to fully remediate the flaw despite having been informed of it more than a year ago by the researcher who discovered it. The vulnerability was responsibly disclosed to Apple in June 2025 along with detailed instructions to replicate it, initiating a prolonged and ultimately unsatisfying disclosure process in which Apple repeatedly acknowledged the issue, twice indicated it had been or was close to being resolved, and ultimately asked the researcher to continue withholding public disclosure while investigations remained ongoing. In tests conducted with volunteers, every single Hide My Email address evaluated by the researcher was found to be exploitable, representing a one hundred per cent exploitation rate that leaves no subset of the feature’s users with confidence that their alias is functioning as intended.
The timeline of Apple’s response to the disclosure paints a concerning picture of how the company handled a vulnerability with direct safety implications for real users. Apple acknowledged the report approximately one month after receiving it in June 2025 and indicated it was investigating. In March 2026, nearly nine months after the initial report, Apple said it had addressed the issue through a recent system change, a claim the researcher was able to disprove by verifying the flaw remained active, prompting Apple to acknowledge it was still investigating. By May 2026, Apple again confirmed the issue was under investigation and requested that the researcher refrain from public disclosure until the inquiry was complete. At the end of May, Apple indicated it expected to address the vulnerability in a security update expected in the coming weeks, a timeline that had still not produced a confirmed fix by the time of publication.
The practical consequences of the vulnerability extend well beyond the inconvenience of unwanted email contact. There are numerous people-search databases available freely online that are capable of linking an email address to a person’s broader personal details including physical address, phone number, and other identifying information. This means that individuals who rely on Hide My Email specifically for personal safety reasons, such as those seeking to limit their digital footprint when interacting with unknown parties or those in circumstances where being identifiable carries genuine risk, may be operating under a false sense of protection that the feature has not actually been delivering.